The Internet of Toys: stimulating creativity or a security nightmare?

In March 2017 the European Commission published a report entitled “Kaleidoscope on the Internet of Toys: Safety, security, privacy and societal insights”[1] a technical report produced… Read more

more content below

In March 2017 the European Commission published a report entitled “Kaleidoscope on the Internet of Toys: Safety, security, privacy and societal insights”[1] a technical report produced by the Joint Research Centre (JRC). The report addresses questions emerging from the rise of the Internet of Toys by offering the views on six specific topics analysed by different experts.

This article first examines what is meant by a connected toy and then explores privacy and security concerns surrounding some of these toys. Thereafter the conclusions of the JRC report will be discussed and finally some predictions will be made about the future of connected toys.

What are connected toys?

The JRC report refers to the concept of “Internet of Toys” namely internet-connected toys which constitute a subset of the Internet of Things (IOT). In order for a toy to be connected it is not necessary for it to have a screen or otherwise resemble devices we traditionally associate with a connection to the internet, such as a computer, iPad or smart phone. The toys can take many different forms and be anything from a teddy bear or a doll to a watch. The common feature they all share is that they are all connected to the internet in some way. Some are also “smart” toys.

A distinction can be drawn between smart and connected toys. Smart toys are toys that have electronic features, for instance a camera, sensor, or microphone that facilitate interaction between the toy and a child and allow the toy to adapt to a child’s actions. Smart toys do not, however, necessarily have a connection to the internet. Robots that can interact with humans in an autonomous and socially meaningful way (i.e. not necessarily toys), also referred to as “social robots”, can be a smart toys as well.[2] Connected toys, by contrast, are toys designed to connect to the internet, but they are not necessarily smart. This distinction between smart and connected toys has been described by the Future of Privacy Forum & Family Online Institute.[3] Toys that are both connected and smart can record, among other things sounds, images, movement, and location but their key distinguishing feature is that they can also share the data which it has recorded, the so-called “play data”.[4]

Toys that record sounds, images and the like and interact with a child are not new but have in fact existed for decades. Social robots have also been used in toys for some time already; for instance a robot dinosaur called Pleo[5] was introduced nearly ten years ago. Because social robots and other smart toys often look very much like ordinary toys, a child’s interaction with them is much like it would be with a non-smart version, however, the interactive features allow the child and the toy to engage reciprocally. What is new, however, is the connection to the internet.[6]

The purpose of the internet connection is the sharing the play data. The internet connection can allow the toy to adjust the interaction to the child by personalising it, for example based on previous interactions or information about other toys’ interactions with similar children. Analysis of the play data may also facilitate learning by providing feedback to the child. One specific area where such learning may be facilitated is foreign languages where connected toys may serve as a virtual language tutors.[7]

An example of a connected toy is the Furby,[8] a furry robotic toy that somewhat resembles a hamster, first released in 1998 and whose most recent version is connected to a mobile app. A Furby can be fed and can use a toilet via the app and children can for instance collect and swop virtual Furby eggs. When the app is used the toy has an actual physical reaction such as flashing its eyes or talking in “Furbish”. It is also connected to popular songs and videos. One of the contributors to the JRC report referenced observations of a two-year old playing with a Furby. She explained that the toddler engaged in extensive imaginative play, leading to the conclusion that although children have always pretended that toys are alive, the fact that the Furby talks, sings and flashes its eyes makes that leap easy.[9]

It has therefore been argued that when playing with connected toys the key differences compared to conventional toys are: the extent to which children may connect with others; the merging of online and offline domains and public and private spaces; and the extent to which play can be shaped by global factors, such as music or videos. Play and social interactions by children are no longer confined to where they are located physically, and the Internet of Toys enables children’s imaginations to encompass a different kind of virtuality, with the toy operating as a “boundary object”.[10]

According to the JRC report the connected toys market was worth $2.8 billion in 2015, compared to $22 billion for the toy industry as a whole, but is projected to grow to $11.3 billion by 2020.

Are there reasons to be concerned about these toys?

The fact that connected toys are directly connected to the internet has, however, raised a number of concerns. The sharing of play data raises the question of who is able to access that data. For data that allows interaction with the toy access should most obvious be had by the child him/herself or the parents. In some cases, analysis of play data may even help parents, teachers and health care providers to monitor the child’s use of the toy or even bodily functions such as heart rate. However, other entities may also have access.

The service provider of the connected toy also not only has access to the data but can record and manipulate it. One contribution to the JRC report discusses this topic, explaining that what play data is recorded, and the purpose for which it is stored, analysed and shared is usually set out in the toy company’s privacy policy, although in reality not many parents actually read these policies. Play data is personal data and it is therefore crucial that toy companies and their service providers treat it with the required precautions. In addition to play data, depending on the toy, other personal data that it may also be possible to collect and manipulate include the name, age, location, email address, and postal address. Other data, including IP addresses and online behaviour can also potentially be collected.[11]

An even greater concern is presented if there are data security problems and what may transpire if the toys are vulnerable to being hacked. Such concerns have been brought to light by white hat hackers who have tested toys.

One such case is the Fisher-Price Smart Bear, reported in March 2016. The toy is a connected teddy bear advertised as having the ability to learn about a child. The bear is accompanied by an app through which parents can enter information that enables the bear to interact with a child. Testers, however, found multiple security flaws in the app that would allow easy access to the information about the child that had been entered by a parent via the app such as name, birthdate and gender. Fisher-Price has since remedied the security flaws but it was suggested that they could, for instance, have been used to gather information on a child’s family to trick the family in a phishing attack.[12]

Another case is Mattel’s Hello Barbie which was first publicised in late 2015. This Barbie doll is marketed as interactive and able to listen to a child and respond. It has a microphone that records the child’s speech, and through a Wi-Fi connection sends it out to Mattel’s voice-processing partner, Toy-Talk, for processing and the doll then responds in natural language. Testing revealed, however, that the doll was vulnerable to hacking. In fact, it was not difficult to gain access to its system, account information, stored audio and microphone. Although the doll only records when a button is pressed and the recordings are encrypted, a hacker only needs to gain control of the doll’s system and once that has been achieved all privacy features can be turned off and the microphone can be used as a surveillance device.[13] Mattel has since addressed the problem and offered a bug bounty program with ToyTalk. Since then Mattel has received positive feedback for its privacy policy and for minimising data collection.[14]

A third example is two connected toys by Genesis Toys, a doll named My Friend Cayla marketed to girls, and a robot named i-Que marketed to boys, which are said to be able to hold a conversation with a child. They access the internet by connecting to smartphones using Bluetooth and with speech recognition software use a child’s statements to find answers from for instance Google or Wikipedia. The toys can understand and nearly instantaneously respond to almost anything, including sing, tell stories, play games, and share photos from an album. According to the Genesis privacy policy all data can be stored and shared with certain third parties. In January 2015 testers at Pen Test Partners revealed that My Friend Cayla and I-Que were vulnerable to hacking, however, two years later the problem still has not been rectified.[15] Concerns about these toys were raised in December 2016 in a complaint by consumer groups before the Federal Trade Commission in the US, alleging that the toys ask for personal information, such as parents’ names, school name and home city, and record conversations without any limitations on the use or disclosure of the recorded information.[16]

The consumer groups also say the toys do not employ basic Bluetooth security, such as requiring a pairing code which means that when the toys are on and not already paired with another device, any smartphone within a 50-foot range can establish a connection which in turn means that anyone within that distance can use the toy as a surveillance device. [17] In addition, although the toymaker states that the toys contain software to block hundreds of inappropriate words, testers found it fairly easy to hack into the toy and program it to say words from the blocked list.[18]

A complaint similar to the one in the U.S. has already been filed an Norway and complaints will also be filed in France, Sweden, Greece, Belgium, Ireland and the Netherlands, with further calls for investigations into the privacy concerns surrounding these toys.[19] The latest development is that in February 2017 Germany went as far as banning the My Friend Cayla doll ordering parents to destroy or disable it on grounds that it could be used for surveillance.[20] Jochen Homann, President of Germany’s Federal Network Agency, or Bundesnetzagentur, stated that “Objects that conceal transmittable cameras or microphones and thus pass on data unintentionally endanger the privacy of the people” and that the ban was “about the protection of society’s most vulnerable.”[21]

What can we learn from the JRC report?

As highlighted in the examples set out in the previous sections, sharing play data from connected toys can have useful purposes, but depending on the toy company the play data, other personal data and other information may be passed on to third parties. Most critically if the toys contain flaws or vulnerabilities the connection to the internet may make them susceptible to hacking which may pose serious privacy and security concerns. The JRC report has set out the findings of several experts in connection with the current state of connected toys.

One contribution to the report focused on the fact that play data as personal data must be carefully managed. Accordingly, the conclusion was that while it is generally parents who make decisions about play data there should also be an obligation on the part of the toy industry to address data protection concerns in a child- and family-friendly way.[22]

Another author called the impact of connected toys the “dataification” of children. This term refers to tracking of human activity using smart devices and storing the data, which in the case of children, unlike with adults who voluntarily choose to track themselves, is either done by adults or by children based on incentives to do so. The author hence cautioned that such practices turn the concept of surveillance into something normal. Such surveillance, however, raises exactly the kinds of concerns referred to previously, namely threats to children’s privacy considering that at the moment there a lack of transparency about how the data is recorded and manipulated.[23]

A third author had a somewhat different outlook, feeling that connected toys do not require a fundamental re-thinking of what play is, nor that they suggest that children are less creative, but that they offer further opportunities for children. She concluded that it is necessary to consider a number of factors, including the concerns raised by other authors of the JRC report, but emphasised that , the focus should be on considering the quality of play that takes place when they are used not on anxiety about the potential loss of play and creativity.[24]

A fourth author felt that connected toys likely present both opportunities and risks for children; specifically, for cognitive, socio-emotional, and moral-behavioural development. On the socio-emotional level, for example, interacting with toys may compensate for deficits in interactions with humans which could be a positive consequence unless it is used to displace actual interaction with humans.[25]

To date, little discussion regarding connected toys has taken place and as a result there is at present scant regulatory oversight of these products. One author discussed that fact that very recently, however, consumer groups in Norway and the US have raised privacy and security concerns related to connected toys, including by petitioning the US Federal Trade Commission to take action against toy companies. The author concluded by hoping that the steps taken by these consumer groups will bring about a more nuanced discussion, as well as policy and regulatory attention as to what needs to be done in terms of policy, industry practice and parenting advice in order to mitigate risks and maximise benefits of the Internet of Toys.[26]

Finally, one author explained that the knowledge of child development, play and communication varies among toy manufacturers, and that as a result some of the connected toys are not as well made as they could be, while at the same time changes are sometimes called for by academics that are not easily possible or commercially viable. She therefore concluded that academics, designers and the industry need to work together to produce the best products possible.[27]

There was general consensus among all of the authors that increased research into connected toys and their influence on children is needed in order to better understand what impact they have on children, including on their development.

Finally, the JRC report provides an overall conclusion that refers to an urgent need for a framework for the use of connected toys.

Are connected toys here to stay?

The argument can easily be made that it is better for children to focus on real human interaction than to play with toys that emulate human interaction. Considering the pace of technological development and the development of the internet in particular, it is, however, probably not realistic to imagine that toys can be eliminated from among internet-connected devices now that they have been developed and are on the market.

That being said, the concerns highlighted by the Smart Bear, the Hello Barbie, and the My Friend Cayla and i-Que toys, discussed above, particularly vulnerabilities to hacking and a lack of clarity on the part of toy companies about their use of the personal data they collect, suggest that there is a rush to get connected toys onto the market before their possible repercussions have been fully analysed. This in turn makes it plain that there definitely are serious questions concerning privacy and security that must be looked into and addressed.

As evidenced by researches testing and seeking to hack into these connected toys and the recent consumer group complaints that have resulted it appears, however, that these toys are already being subjected to greater scrutiny. It is therefore possible that this increased scrutiny might lead to regulators also taking a greater interest in the subject. Such regulations might include requiring improved security features to prevent hacking, greater transparency and clarity about the intended use of play data and other personal data, including specifically the ability to for parents to opt out, as well as requiring privacy policies that minimise the use of any personal data that is collected. It should be emphasised, however, that in connection with data protection in particular the law already places significant restrictions on the use of personal data which therefore need to be effectively implemented.

The commissioning of a research report by the European Commission with a conclusion that there is an urgent need for a framework to address the topic in and of itself already highlights that the issue is already receiving more attention and is now at the very least on the radar of decision makers within the EU. As is often the case, however, it appears as though connected toys are a case where policy and regulations must try to play catch-up with an industry that has already put the new products on the market. In light of the latest development in connection with the My Friend Cayla doll with Germany already having gone as far as banning the product it will remain to be seen whether other countries will take a similar approach.

Due to the added publicity that these concerns are receiving it can also be hoped that parents and carers become better informed about connected toys so as to be able to make more informed decisions about whether to purchase them for their children. For better or for worse connected toys are probably here to stay.

Sitemap

Follow us

Kemp Little LLP is a limited liability partnership registered in England and Wales (registered number OC300242) and is authorised and regulated by the Solicitors Regulation Authority. Its registered office is Cheapside House, 138 Cheapside, London EC2V 6BJ. The SRA Handbook can be accessed by clicking here.